Solved

hash algorithm

Posted on 2003-03-12
Medium Priority
436 Views
i have been reading about hash algorithms and i am a little confused.  to my understanding, you take a message and then run it through this 'hash calcualtor', this will then spit out a number that cannot be duplicated by any other message.  but my question is, does this alter the original message or is this new number just sent along with the message, to prove that it hasn't been altered. so that at the other end, the recipient can run the same message through the 'hash calculator' and then compare the numbers.
0
Question by:jeffreybisko
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

• Help others & share knowledge
• Earn cash & points
• 3

LVL 2

Expert Comment

ID: 8121133
Jeff,

The result of a hash, called a 'digest', cannot be reversed.  This means sending the digest in lieu of the plain text message would not do the recipient much good (he could not derive the original message).  So, your second guess was correct - the digest is sent along with the plain text message to help verify the integrity of the message.

There's more to this story, however.  If I send you a plain text message with a digest attached to it, how can you be sure that someone did not intercept the message, alter it, create a new digest of the altered message and replace my original digest?

Encryption plays a role in protecting the digest.  Asymmetric encryption to be precise.  In asymmetric encryption, a pair of keys are used.  One key is public (anyone can know it), and the other is private (only the owner of the pair of keys should know the private key).  In asymmetric encryption, a message encrypted with one key in the pair can only be decrypted by the other key in the pair.  For example, if you encrypt a message with my public key, only someone with my private key can decrypt it (hopefully, I'm the only one with my private key!).

Digital signatures use both one-way hashes and asymmetric encryption.  Here's an example:

1) I write a message to you.
2) I create a digest of the message.
3) I encrypt the digest with my private key.
4) I send the plain text message to you, with the encrypted digest attached (the 'signature').
5) You create a digest of the message you received.
6) You decrypt my signature (the encrypted digest) with my public key and compare the digest you created to the digest from my signature.

If both digests match, you can be assured the message has not been tampered with.  Additionally, since you were able to decrypt the signature with my public key, you know that only someone with my private key could have signed the message.  Since I am the only person with my private key, you know that I am the one who signed it, and I cannot deny signing it.

I would like to make a few points about digital signatures, although they are outside the scope of your question:
-Confidentiality is not achieved.  Anyone can read the message I sent you, even though it is signed.
-If my private key is compromised, all is lost.
-You have to be reasonably assured that the public key you think is mine is in fact my public key (in other words, you need to be certain someone hasn't given you their key, but claim it is mine).  Digital certificates help solve the problems associated with exchanging public keys.

Hope that helps,
Jason Deckard
0

LVL 2

Accepted Solution

Jason_Deckard earned 200 total points
ID: 8121200
Jeff,

The result of a hash, called a 'digest', cannot be reversed.  This means sending the digest in lieu of the plain text message would not do the recipient much good (he could not derive the original message).  So, your second guess was correct - the digest is sent along with the plain text message to help verify the integrity of the message.

There's more to this story, however.  If I send you a plain text message with a digest attached to it, how can you be sure that someone did not intercept the message, alter it, create a new digest of the altered message and replace my original digest?

Encryption plays a role in protecting the digest.  Asymmetric encryption to be precise.  In asymmetric encryption, a pair of keys are used.  One key is public (anyone can know it), and the other is private (only the owner of the pair of keys should know the private key).  In asymmetric encryption, a message encrypted with one key in the pair can only be decrypted by the other key in the pair.  For example, if you encrypt a message with my public key, only someone with my private key can decrypt it (hopefully, I'm the only one with my private key!).

Digital signatures use both one-way hashes and asymmetric encryption.  Here's an example:

1) I write a message to you.
2) I create a digest of the message.
3) I encrypt the digest with my private key.
4) I send the plain text message to you, with the encrypted digest attached (the 'signature').
5) You create a digest of the message you received.
6) You decrypt my signature (the encrypted digest) with my public key and compare the digest you created to the digest from my signature.

If both digests match, you can be assured the message has not been tampered with.  Additionally, since you were able to decrypt the signature with my public key, you know that only someone with my private key could have signed the message.  Since I am the only person with my private key, you know that I am the one who signed it, and I cannot deny signing it.

I would like to make a few points about digital signatures, although they are outside the scope of your question:
-Confidentiality is not achieved.  Anyone can read the message I sent you, even though it is signed.
-If my private key is compromised, all is lost.
-You have to be reasonably assured that the public key you think is mine is in fact my public key (in other words, you need to be certain someone hasn't given you their key, but claim it is mine).  Digital certificates help solve the problems associated with exchanging public keys.

Hope that helps,
Jason Deckard
0

LVL 2

Expert Comment

ID: 8121214
Double post.  Sorry about that :)
0

LVL 1

Expert Comment

ID: 8137085
You are not confused at all. You are right when you say that the 'hash value' accompanies the original message.

The recipient takes the original messages, computes a hash value and compares it to yours.

If they match, ta da, the original message did not change enroute.

Now of course that's quite simplistic, there are quite a few issues, which you may have read about, and which may lead to confusion.
0

Author Comment

ID: 8137197
sorry it took me so long.  i have been swamped.
0

Featured Post

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A look at what happened in the Verizon cloud breach.
This article is written by John Gates, CISSP. Gates, the SNUG President-Elect, currently holds the position of Manager of Information Systems at Lake Park High School in Roselle, Illinois.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Suggested Courses
Course of the Month8 days, 12 hours left to enroll